Wi-Fi LAN Security and Co-existence Guideline

Departments with Wi-Fi policy exemption approval to deploy and operate a locally-managed Wi-Fi network must adhere to the following security and coexistence guidelines:

Guidelines for Approved Departmental WLAN Deployment

1.1. Departmentally-managed access points must be configured in a way that prevents interference with campus Wi-Fi infrastructure via the methods described below. In particular, a unique Service Set Identifier (SSID) must be used for departmental installations in order to avoid conflicts with campus Wi-Fi infrastructure. Unfortunately, this means that users may need to reconfigure their laptop computers or PDAs when moving between departmental and campus Wi-Fi infrastructure.

1.2. Departments with UW Information Technology approval to deploy or maintain their own Wi-Fi infrastructure are responsible for all security risks and liabilities associated with such installations. Consequently, it is essential that departmentally managed access points implement some form of access control.

1.3. One of the best practices for data security is that no one should rely on link-level network protection (link encryption or other forms of isolation) for either wired or Wi-Fi networks. It is essential that sensitive or critical information be protected at the transport and/or session levels using encrypted protocols such as IPSEC, SSL, SSH, or Kerberos.

1.4. When individual network-connected computers endanger the network or other hosts, it is necessary to temporarily disconnect them from the campus network. Similarly, whenever a departmental Wi-Fi access point is configured in such a way that it either interferes with the campus network infrastructure or represents an untenable business risk to the university, it will need to be disconnected until the problem is resolved. This is normally done by having the UW Information Technology Network Operations Center disable the Ethernet port to which the offending device is attached.

1.5. If an attack originates from a client using the departmental access point, that access point (and thus everyone using it) will be disconnected.

Guidelines for Departmental WLAN Access Control

2.1. Due to the potential for misuse by unknown individuals, with little risk of discovery, it is imprudent to deploy Wi-Fi infrastructure without some form of access control. Therefore, departments should deploy at *least* one of the following access control methods in their Wi-Fi access points:

2.2. Be aware that the centrally-managed campus Wi-Fi access control policy requires authentication via UW NetID in order to access resources outside the UW network. This policy is implemented via a “captive portal” approach, wherein first access to websites outside UW forces redirection to a UW NetID Weblogin page. The policy is intended to prevent liability and embarrassment to the University in case a “drive by” Wi-Fi hacker attempts to launch attacks against other sites using the UW network.

Use a non-default, non-null SSID. (This avoids the problem of campus users getting “stuck” to a department access point with no way to authenticate, and also provides a “branding” capability to clarify who to call for support issues.)

Use a unique SSID that does NOT contain “University of Washington” in order to avoid user confusion.

Use minimum necessary power to cover your area.

3.2. Departments may also be required to configure their Wi-Fi access points to:

Use different frequencies than those of nearby campus access points. (Since this will vary with location and time, it is necessary to coordinate with UW Information Technology on frequency use.)

Do NOT broadcast the SSID. (Again, to avoid “trapping” unsuspecting campus Wi-Fi users.)

3.3. Finally, additional best practices include:

Use a secure procedure (e.g. in-person, telephone, PGP email) to contact your local IT support staff about any wireless access point deployed by you or by a third-party.

Ensure those managing the campus Wi-Fi infrastructure have up-to-date contact information for the subnets involved.